GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-13 00:30:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB Running: kczd7h8s.exe; Driver: C:\Users\user\AppData\Local\Temp\pxldqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1724] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075a987b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1724] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1724] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3712] entry point in ".rdata" section 00000000739671e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0x55de28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0x55de68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 7 bytes {MOV EDX, 0x55dda8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 7 bytes {MOV EDX, 0x55dd28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0x55df28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0x55df68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0x55dee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0x55dea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0x55dc68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0x55dca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0x55dc28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 7 bytes {MOV EDX, 0x55dde8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 7 bytes {MOV EDX, 0x55dd68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0x55dce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0x247a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0x247a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 7 bytes {MOV EDX, 0x2479a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 7 bytes {MOV EDX, 0x247928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0x247b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0x247b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0x247ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0x247aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0x247868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0x2478a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0x247828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 7 bytes {MOV EDX, 0x2479e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 7 bytes {MOV EDX, 0x247968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0x2478e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0x98c228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0x98c268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 7 bytes {MOV EDX, 0x98c1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 7 bytes {MOV EDX, 0x98c128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0x98c328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0x98c368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0x98c2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0x98c2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0x98c068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0x98c0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0x98c028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 7 bytes {MOV EDX, 0x98c1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 7 bytes {MOV EDX, 0x98c168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0x98c0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0xb57e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0xb57e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 7 bytes {MOV EDX, 0xb57da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 7 bytes {MOV EDX, 0xb57d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0xb57f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0xb57f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0xb57ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0xb57ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0xb57c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0xb57ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0xb57c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 7 bytes {MOV EDX, 0xb57de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 7 bytes {MOV EDX, 0xb57d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0xb57ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0xc26228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0xc26268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 7 bytes {MOV EDX, 0xc261a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 7 bytes {MOV EDX, 0xc26128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0xc26328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0xc26368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0xc262e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0xc262a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0xc26068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0xc260a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0xc26028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 7 bytes {MOV EDX, 0xc261e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 7 bytes {MOV EDX, 0xc26168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0xc260e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0x1068e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0x1068e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 2 bytes [BA, A8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 8 0000000077b1fc08 4 bytes [06, 01, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 2 bytes [BA, 28] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 8 0000000077b1fc20 4 bytes [06, 01, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0x1068f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0x1068f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0x1068ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0x1068ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0x1068c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0x1068ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0x1068c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 2 bytes [BA, E8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 8 0000000077b210a8 4 bytes {CALL 0xffffffffff010692} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 2 bytes [BA, 68] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 8 0000000077b21120 4 bytes [06, 01, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0x1068ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b1f991 7 bytes {MOV EDX, 0xe64e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b1fbd5 7 bytes {MOV EDX, 0xe64e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b1fc05 7 bytes {MOV EDX, 0xe64da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b1fc1d 7 bytes {MOV EDX, 0xe64d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b1fc35 7 bytes {MOV EDX, 0xe64f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b1fc65 7 bytes {MOV EDX, 0xe64f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b1fce5 7 bytes {MOV EDX, 0xe64ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b1fcfd 7 bytes {MOV EDX, 0xe64ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b1fd49 7 bytes {MOV EDX, 0xe64c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b1fe41 7 bytes {MOV EDX, 0xe64ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b20099 7 bytes {MOV EDX, 0xe64c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b210a5 7 bytes {MOV EDX, 0xe64de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b2111d 7 bytes {MOV EDX, 0xe64d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b21321 7 bytes {MOV EDX, 0xe64ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986003c65 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986003c65@0017e5d56349 0x1D 0x4B 0x91 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x1A 0xE1 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986003c65 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986003c65@0017e5d56349 0x1D 0x4B 0x91 0x11 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x1A 0xE1 0x36 ... ---- EOF - GMER 2.1 ----